Does it really make sense to use anti-CSRF tokens in a web application that is accessed by HTTPS only? If yes, then what are the possible ways to attack such a web application if anti-CSRF tokens are absent?